Data Processing Addendum

1. Definitions

• "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including:
  • The General Data Protection Regulation (EU) 2016/679 ("GDPR");
  • The UK GDPR and Data Protection Act 2018;
  • Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA");
  • The California Consumer Privacy Act and California Privacy Rights Act ("CCPA/CPRA");
  • Any successor or replacement legislation.
• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by ClarityDesk on behalf of the Customer under this DPA.
• "Processing" and related terms have the meanings given in the GDPR (and apply mutatis mutandis under other Data Protection Laws).
• "Sub-processor" means any third party engaged by ClarityDesk to process Personal Data on behalf of the Customer.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission.

2. Roles and Scope of Processing

Data Controller and Data Processor: The Customer is the Data Controller of Personal Data submitted to the Services. ClarityDesk is the Data Processor.

Scope of Processing: ClarityDesk will process Personal Data only:

• In accordance with the Customer's documented instructions (including those set out in the Agreement);
• To provide, maintain, and improve the Services;
• To comply with applicable legal obligations; and
• As otherwise agreed in writing.

ClarityDesk will not sell, rent, or share Personal Data with third parties for their own marketing purposes.

3. Customer Obligations and Instructions

The Customer represents and warrants that:

• It has all necessary rights and has provided all necessary notices and obtained all necessary consents to submit Personal Data to ClarityDesk for processing under the Agreement;
• Its instructions (including those in the Agreement) comply with all applicable Data Protection Laws;
• It will ensure that any instructions it provides to ClarityDesk do not place ClarityDesk in breach of Data Protection Laws.

If ClarityDesk believes an instruction violates Data Protection Laws, ClarityDesk will inform the Customer and may suspend performance until the instruction is confirmed or amended.

4. Details of Processing

5. Security Measures

ClarityDesk will implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include, but are not limited to:

• Encryption: Data is encrypted in transit (TLS/SSL) and at rest where technically feasible;
• Access Controls: Role-based access controls, authentication requirements, and activity logging;
• Infrastructure Security: Use of reputable cloud infrastructure providers with SOC 2, ISO 27001, or equivalent certifications;
• Monitoring and Incident Response: Continuous monitoring, logging, and documented incident response procedures;
• Data Backups: Regular automated backups with secure storage.

ClarityDesk will review and update these measures regularly to account for technological developments and emerging threats.

6. Sub-processors

General Authorization: The Customer provides general authorization for ClarityDesk to engage Sub-processors to assist in providing the Services.

Current Sub-processors: ClarityDesk currently uses the following categories of Sub-processors:

• Cloud Infrastructure: Supabase (PostgreSQL hosting, authentication), Vercel (application hosting);
• Payment Processing: Stripe (payment and subscription management);
• Communication Services: Email service providers for transactional and support communications;
• Monitoring and Support: Tools for application performance monitoring and customer support ticketing.

A current list of Sub-processors, including their locations and roles, is available upon written request to privacy@claritydesk.io.

Sub-processor Obligations: ClarityDesk will:

• Enter into a written agreement with each Sub-processor imposing data protection obligations substantially similar to this DPA;
• Ensure Sub-processors implement appropriate technical and organizational security measures;
• Remain fully liable to the Customer for the performance of any Sub-processor.

Changes to Sub-processors: ClarityDesk will provide at least 30 days' advance notice of any new or replacement Sub-processor. If the Customer objects on reasonable data protection grounds, the parties will work in good faith to address concerns. If no resolution is reached, the Customer may terminate the affected Services without penalty.

7. Data Subject Rights

ClarityDesk will, to the extent legally permitted, promptly notify the Customer if it receives a request from a Data Subject to exercise any rights under Data Protection Laws (e.g., access, rectification, erasure, restriction, portability, objection).

ClarityDesk will, taking into account the nature of the processing, provide reasonable assistance to the Customer in fulfilling its obligation to respond to such requests, including by:

• Providing the Customer with access to relevant Personal Data;
• Making available functionality within the Services to enable data export or deletion; and
• Responding to requests as reasonably directed by the Customer.

If ClarityDesk is legally required to respond directly to a Data Subject request, ClarityDesk will inform the Customer before doing so, unless prohibited by law.

8. Data Breach Notification

ClarityDesk will notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by ClarityDesk ("Personal Data Breach").

Such notification will include, to the extent reasonably available:

• A description of the nature of the breach;
• The categories and approximate number of Data Subjects and Personal Data records affected;
• The likely consequences of the breach;
• Measures taken or proposed to address the breach and mitigate its effects.

ClarityDesk will cooperate with the Customer and take reasonable steps to remediate the breach and prevent recurrence.

9. Data Protection Impact Assessments and Consultations

Upon the Customer's written request, ClarityDesk will provide reasonable assistance (at the Customer's expense if the assistance requires substantial time or resources) to enable the Customer to conduct data protection impact assessments or prior consultations with supervisory authorities as required under Data Protection Laws.

10. International Data Transfers

ClarityDesk is headquartered in Ontario, Canada. Personal Data may be stored and processed in Canada, the United States, or other jurisdictions where ClarityDesk or its Sub-processors maintain facilities.

Adequacy and Safeguards: To the extent that ClarityDesk processes Personal Data that is subject to the GDPR or UK GDPR and such processing involves a transfer of Personal Data to a country not recognized as providing adequate protection:

• ClarityDesk will ensure that such transfers are made in accordance with Chapter V of the GDPR;
• The parties agree to execute the Standard Contractual Clauses (Module Two: Controller-to-Processor) approved by the European Commission (Decision 2021/914) or the UK International Data Transfer Addendum, as applicable;
• Upon request, ClarityDesk will provide the Customer with a copy of the executed SCCs or relevant transfer mechanism documentation.

The Customer acknowledges and consents to such transfers on the basis of the safeguards described in this DPA.

11. Audit and Compliance

ClarityDesk will, upon reasonable written request and subject to confidentiality obligations, make available to the Customer information reasonably necessary to demonstrate compliance with this DPA.

The Customer may (at its own expense and with reasonable advance notice, no more than once per year, unless required by a supervisory authority):

• Request copies of relevant third-party audit reports or certifications (e.g., SOC 2, ISO 27001) held by ClarityDesk or its Sub-processors;
• Conduct audits or inspections of ClarityDesk's data processing activities, provided such audits do not unreasonably interfere with ClarityDesk's business operations and are subject to execution of a separate audit agreement.

ClarityDesk may charge reasonable fees for assistance beyond the provision of standard compliance documentation.

12. Data Retention and Deletion

ClarityDesk will retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected or as required by applicable law.

Upon Termination: Within 30 days following termination or expiration of the Agreement (or such other period as required by law or specified in the Agreement), ClarityDesk will, at the Customer's choice:

• Return all Personal Data to the Customer in a commonly used, machine-readable format; or
• Securely delete or anonymize all Personal Data.

ClarityDesk may retain copies of Personal Data to the extent required by applicable law, and only for so long as required, subject to continued confidentiality and security protections.

13. Limitation of Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set forth in the Agreement. Nothing in this DPA reduces either party's liability under the Agreement.

Contact Information

For questions or requests related to this DPA, please contact: